All network traffic to KDC goes through the SOCKS4a proxy if it is
configured.
This is deliberately kept simple -- and is not generalized to SOCKS4
or SOCKS5 or other types of proxies -- so it is easy to audit for
network and DNS leaks. (SOCKS4 works in IP addresses, and so invites
DNS leaks. SOCKS5 can be OK, if used judiciously, but takes more
work to implement.)
This only affects krb5_sendto -- the other initiator of network
traffic in libkrb5, krb5_change_password, will be fixed to respect
socks4a_proxy in a subsequent commit.
XXX Need to figure out where the socks4a.c code should go.
fix https://github.com/heimdal/heimdal/issues/1151
Acording to POSIX <poll.h> should be used instead of <sys/poll.h>.
Libcs like musl libc added a redict due maintain compat with older
glibcs and added the following warning:
/usr/include/sys/poll.h:1:2: warning: #warning redirecting incorrect #include <sys/poll.h> to <poll.h> [-Wcpp]
1 | #warning redirecting incorrect #include <sys/poll.h> to <poll.h>
| ^~~~~~~
Ref: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/poll.h.html
This API is used for both const and non-const strings, depending on
whether there is a deallocator passed or not, so the C type system
can't distinguish this for us.
XXX Perhaps this should be two separate APIs, one which takes
const-qualified pointers and one which takes non-const-qualified
pointers.
This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().
It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).
The point of this commit is to explore:
- GSS functionality for kinit-like actions
- credential store key/value pairs supported by the mechanisms
- document the credential store key/value pairs (in gsstool.1)
that might lead to further enhancements. But gsstool acquire-cred
is quite functional at this point!
